eBPF-Guard: a detection method for container escape via multi-level monitoring and enhanced analysis model

Article

Li, Xiaotang, Chen, Zhide, Yang, Wencheng, Yang, Xuechao, Luo, Junwei and Yang, Xu. 2026. "eBPF-Guard: a detection method for container escape via multi-level monitoring and enhanced analysis model." Empirical Software Engineering: an international journal. 31 (3). https://doi.org/10.1007/s10664-025-10784-1
Article Title

eBPF-Guard: a detection method for container escape via multi-level monitoring and enhanced analysis model

ERA Journal ID17848
Article CategoryArticle
AuthorsLi, Xiaotang, Chen, Zhide, Yang, Wencheng, Yang, Xuechao, Luo, Junwei and Yang, Xu
Journal TitleEmpirical Software Engineering: an international journal
Journal Citation31 (3)
Article Number51
Number of Pages22
Year2026
PublisherJohn Wiley & Sons
Place of PublicationUnited States
ISSN1382-3256
1573-7616
Digital Object Identifier (DOI)https://doi.org/10.1007/s10664-025-10784-1
Web Address (URL)https://link.springer.com/article/10.1007/s10664-025-10784-1
Abstract

In recent years, cloud-native technologies have rapidly penetrated containerized environments. Their lightweight, flexible, and portable features have made them highly popular among developers. However, the extensive use of containers has also made them a prime target for network attacks, with container vulnerabilities and dangerous mounts frequently leading to container escapes. To address this, this paper proposes a new method that combines eBPF-based multi-level container behavior monitoring with LLM-based anomaly detection. Probes are deployed in the system kernel to conduct multi-level monitoring of container system activities, call features, and behavior logs. The strong semantic understanding and pattern-recognition capabilities of LLMs are utilized to uncover hidden features and abnormal behaviors in the data, enabling precise detection of container issues. Specifically, lightweight eBPF probes are deployed in Linux kernel Namespaces and Cgroups. By parsing node identifiers (Node IDs) in Cgroup hierarchy management and the process isolation features of PID/UID Namespaces, a monitoring chain for cross-host container interactions is constructed. This enables non-intrusive collection of file operations, system calls, and network traffic. During data processing, a dual-window partitioning mechanism and a feature extraction framework based on event type distribution and time-series dependencies are employed. In the behavior analysis layer, we designed a three-layer Chain-of-Thought (CoT) prompt template ("Question-Reasoning-Answer"). Container behavior logs are converted into natural language reasoning chains and embedded into a Q-A-formatted dataset with logical reasoning chains. The Qwen1.5-1.8B-Chat model is fine-tuned using Low-Rank Adaptation (LoRA) technology. Experimental results show that this method performs excellently in container escape anomaly identification scenarios, achieving a detection accuracy of 99.22% in simulated malicious attack scenarios.

KeywordsCloud native ; Container attack; Container ; Large language model ; eBPF
Contains Sensitive ContentDoes not contain sensitive content
ANZSRC Field of Research 2020461299. Software engineering not elsewhere classified
Public Notes

Files associated with this item cannot be displayed due to copyright restrictions.

Byline AffiliationsFujian Normal University, China
School of Science, Engineering & Digital Technologies- Maths,Physics & Computing
Royal Melbourne Institute of Technology (RMIT)
Minjiang University, China
Permalink -

https://research.usq.edu.au/item/10138q/ebpf-guard-a-detection-method-for-container-escape-via-multi-level-monitoring-and-enhanced-analysis-model

Log in to edit
  • 13
    total views
  • 0
    total downloads
  • 13
    views this month
  • 0
    downloads this month

Export as

Related outputs

Open set recognition of radar specific emitter based on adversarial reciprocal point learning
Zhang, Wenxu, An, Lin, Yang, Wencheng, Zhao, Zhongkai and Liu, Feiran. 2026. "Open set recognition of radar specific emitter based on adversarial reciprocal point learning." Signal Processing. 238. https://doi.org/10.1016/j.sigpro.2025.110137
The Chance Set-Up on Pattern Discovery
Elnour, Ammar, Yang, Wencheng and Li, Yan. 2025. "The Chance Set-Up on Pattern Discovery." IEEE Open Journal of the Computer Society. 6, pp. 1741-1751. https://doi.org/10.1109/OJCS.2025.3623301
SMFSwap: Student-aware multi-teacher knowledge distillation for fast face-swapping
Ding, Yifeng, Yang, Gaoming, Yin, Shuting, Zhang, Ji, Fang, Xianjin and Yang, Wencheng. 2025. "SMFSwap: Student-aware multi-teacher knowledge distillation for fast face-swapping." Neurocomputing. 649. https://doi.org/10.1016/j.neucom.2025.130807
Deep learning model inversion attacks and defenses: a comprehensive survey
Yang, Wencheng, Wang, Song, Wu, Di, Cai, Taotao, Zhu, Yanming, Wei, Shicheng, Zhang, Yiying, Yang, Xu, Tang, Zhaohui and Li, Yan. 2025. "Deep learning model inversion attacks and defenses: a comprehensive survey." Artificial Intelligence Review: an international survey and tutorial journal. 58 (8). https://doi.org/10.1007/s10462-025-11248-0
Towards auditing gradient privacy risks in image reconstruction attacks on deep learning models
Huang, Tao, Shi, Xin, Huang, Qingyu, Chen, Ziyang, Jiang, Liang, Wu, Chenhuang, Zheng, Guolong, Yang, Xu and Yang, Wencheng. 2025. "Towards auditing gradient privacy risks in image reconstruction attacks on deep learning models." Discover Computing. 28 (1). https://doi.org/10.1007/s10791-025-09551-z
Using Machine Learning to Detect Vault (Anti-Forensic) Apps
Johnstone, Michael N., Yang, Wencheng and Ahmad, Mohiuddin. 2025. "Using Machine Learning to Detect Vault (Anti-Forensic) Apps." Future Internet. 17 (5). https://doi.org/10.3390/fi17050186
Nonparametric Bootstrap Likelihood Estimation to Investigate the Chance Set-up on Clustering Results
Elnour, Ammar, Yang, Wencheng and Li, Yan. 2025. "Nonparametric Bootstrap Likelihood Estimation to Investigate the Chance Set-up on Clustering Results." IEEE Open Journal of the Computer Society. 6, pp. 438-448. https://doi.org/10.1109/OJCS.2025.3545261
A 3D decoupling Alzheimer’s disease prediction network based on structural MRI
Wei, Shicheng, Yang, Wencheng, Wang, Eugene, Wang, Song and Li, Yan. 2025. "A 3D decoupling Alzheimer’s disease prediction network based on structural MRI." Health Information Science and Systems. 13. https://doi.org/10.1007/s13755-024-00333-3
High Security and Privacy Protection Model for STI/HIV Risk Prediction
Tang, Zhaohui, Nguyen, Thi Phuoc Van, Yang, Wencheng, Xia, Xiaoyu, Chen, Huaming, Mullens, Amy B., Dean, Judith A., Osborne, Sonya and Li, Yan. 2024. "High Security and Privacy Protection Model for STI/HIV Risk Prediction." Digital Health. 10, pp. 1-14. https://doi.org/DOI:10.1177/20552076241298425
Generous teacher: Good at distilling knowledge for student learning
Ding, Yifeng, Yang, Gaoming, Yin, Shuting, Zhang, Ji, Fang, Xianjin and Yang, Wencheng. 2024. "Generous teacher: Good at distilling knowledge for student learning." Image and Vision Computing. 150. https://doi.org/10.1016/j.imavis.2024.105199
Advancing face detection efficiency: Utilizing classification networks for lowering false positive incidences
Zhang, Jianlin, Hou, Chen, Yang, Xu, Yang, Xuechao, Yang, Wencheng and Cui, Hui. 2024. "Advancing face detection efficiency: Utilizing classification networks for lowering false positive incidences." Array. 22. https://doi.org/10.1016/j.array.2024.100347
Lightweight federated learning for STIs/HIV prediction
Nguyen, Thi Phuoc Van, Yang, Wencheng, Tang, Zhaohui, Xia, Xiaoyu, Mullens, Amy B., Dean, Judith A. and Li, Yan. 2024. "Lightweight federated learning for STIs/HIV prediction." Scientific Reports. 14 (1). https://doi.org/10.1038/s41598-024-56115-0
UAV Control Method Combining Reptile Meta-Reinforcement Learning and Generative Adversarial Imitation Learning
Jiang, Shui, Ge, Yanning, Yang, Xu, Yang, Wencheng and Cui, Hui. 2024. "UAV Control Method Combining Reptile Meta-Reinforcement Learning and Generative Adversarial Imitation Learning." Future Internet. 16 (3). https://doi.org/10.3390/fi16030105
Evaluating Cryptocurrency Market Risk on the Blockchain: An Empirical Study Using the ARMA-GARCH-VaR Model
Huang, Yongrong, Wang, Huiqing, Chen, Zhide, Feng, Chen, Zhu, Kexin, Yang, Xu and Yang, Wencheng. 2024. "Evaluating Cryptocurrency Market Risk on the Blockchain: An Empirical Study Using the ARMA-GARCH-VaR Model." IEEE Open Journal of the Computer Society. 5, pp. 83-94. https://doi.org/10.1109/OJCS.2024.3370603
Feature extraction and learning approaches for cancellable biometrics: A survey
Yang, Wencheng, Wang, Song, Hu, Jiankun, Tao, Xiaohui and Li, Yan. 2024. "Feature extraction and learning approaches for cancellable biometrics: A survey." CAAI Transactions on Intelligence Technology. 9 (1), pp. 4-25. https://doi.org/10.1049/cit2.12283
An Adaptive Feature Fusion Network for Alzheimer’s Disease Prediction
Wei, Shicheng, Li, Yan and Yang, Wencheng. 2023. "An Adaptive Feature Fusion Network for Alzheimer’s Disease Prediction." 12th International Conference on Health Information Science (HIS 2023). Melbourne, Australia 23 - 24 Oct 2023 Germany. https://doi.org/10.1007/978-981-99-7108-4
A Review of Homomorphic Encryption for Privacy-Preserving Biometrics
Yang, Wencheng, Wang, Song, Cui, Hui, Tang, Zhaohui and Li, Yan. 2023. "A Review of Homomorphic Encryption for Privacy-Preserving Biometrics." Sensors. 23 (7). https://doi.org/10.3390/s23073566
Hybrid KD-NFT: A multi-layered NFT assisted robust Knowledge Distillation framework for Internet of Things
Wang, Nai, Chen, Junjun, Wu, Di, Yang, Wencheng, Xiang, Yong and Sajjanhar, Atul. 2023. "Hybrid KD-NFT: A multi-layered NFT assisted robust Knowledge Distillation framework for Internet of Things." Journal of Information Security and Applications. 75. https://doi.org/10.1016/j.jisa.2023.103483
A review of multi-factor authentication in the Internet of Healthcare Things
Suleski, Tance, Ahmed, Mohiuddin, Yang, Wencheng and Wang, Eugene. 2023. "A review of multi-factor authentication in the Internet of Healthcare Things." Digital Health. 9, pp. 1-20. https://doi.org/10.1177/20552076231177144
Token-Based Biometric Enhanced Key Derivation for Authentication Over Wireless Networks
Cui, Hui, Yang, Xuechao, Yang, Wencheng, Qin, Baodong and Yi, Xun. 2023. "Token-Based Biometric Enhanced Key Derivation for Authentication Over Wireless Networks." IEEE Transactions on Network Science and Engineering. 10 (4), pp. 2347-2357. https://doi.org/10.1109/TNSE.2023.3246439
A Secure Online Fingerprint Authentication System for Industrial IoT Devices over 5G Networks
Bedari, Aseel, Wang, Song and Yang, Wencheng. 2022. "A Secure Online Fingerprint Authentication System for Industrial IoT Devices over 5G Networks." Sensors. 22 (19), pp. 1-16. https://doi.org/10.3390/s22197609
Multimedia security and privacy protection in the internet of things: research developments and challenges
Yang, Wencheng, Wang, Song, Hu, Jiankun and Karie, Nickson M.. 2022. "Multimedia security and privacy protection in the internet of things: research developments and challenges." International Journal of Multimedia Intelligence and Security. 4 (1), pp. 20-46. https://doi.org/10.1504/ijmis.2022.121282
A linear convolution-based cancelable fingerprint biometric authentication system
Yang, Wencheng, Wang, Song, Kang, James Jin, Johnstone, Michael N. and Bedari, Aseel. 2022. "A linear convolution-based cancelable fingerprint biometric authentication system." Computers and Security. 114, pp. 1-14. https://doi.org/10.1016/j.cose.2021.102583
A Review on Security Issues and Solutions of the Internet of Drones
Yang, Wencheng, Wang, Song, Yin, Xuefei, Wang, Xu and Hu, Jiankun. 2022. "A Review on Security Issues and Solutions of the Internet of Drones." IEEE Open Journal of the Computer Society. 3, pp. 96-110. https://doi.org/10.1109/OJCS.2022.3183003
Network Forensics in the Era of Artificial Intelligence
Yang, Wencheng, Johnstone, Michael N., Wang, Song, Karie, Nickson M., Bin Sahri, Nor Masri and Kang, James Jin. 2022. "Network Forensics in the Era of Artificial Intelligence." Ahmed, Mohiuddin, Islam, Sheikh Rabiul, Anwar, Adnan, Moustafa, Nour and Pathan, Al-Sakib Khan (ed.) Explainable Artificial Intelligence for Cyber Security: Next Generation Artificial Intelligence. Cham, Switzerland. Springer. pp. 171-190
Leveraging Artificial Intelligence Capabilities for Real-Time Monitoring of Cybersecurity Threats
Karie, Nickson M., Bin Sahri, Nor Masri Bin, Yang, Wencheng and Johnstone, Michael N.. 2022. "Leveraging Artificial Intelligence Capabilities for Real-Time Monitoring of Cybersecurity Threats." Ahmed, Mohiuddin, Islam, Sheikh Rabiul, Anwar, Adnan, Moustafa, Nour and Pathan, Al-Sakib Khan (ed.) Explainable Artificial Intelligence for Cyber Security: Next Generation Artificial Intelligence. Cham, Switzerland. Springer. pp. 141-169
Biometrics for internet‐of‐things security: A review
Yang, Wencheng, Wang, Song, Sahri, Nor Masri, Karie, Nickson M., Ahmed, Mohiuddin and Valli, Craig. 2021. "Biometrics for internet‐of‐things security: A review." Sensors. 21 (18). https://doi.org/10.3390/s21186163
Security and Forensics in the Internet of Things: Research Advances and Challenges
Yang, Wencheng, Johnstone, Michael N., Sikos, Leslie F. and Wang, Song. 2020. "Security and Forensics in the Internet of Things: Research Advances and Challenges." 2020 Workshop on Emerging Technologies for Security in IoT (ETSecIoT). Sydney, Australia 21 - 21 Apr 2020 Australia. IEEE (Institute of Electrical and Electronics Engineers). pp. 12-17 https://doi.org/10.1109/ETSecIoT50046.2020.00007
A Critical Analysis of ECG-Based Key Distribution for Securing Wearable and Implantable Medical Devices
Zheng, Guanglou, Shankaran, Rajan, Yang Wencheng, Valli, Craig, Qiao, Li, Orgun, Mehmet A. and Mukhopadhyay, Subhas Chandra. 2019. "A Critical Analysis of ECG-Based Key Distribution for Securing Wearable and Implantable Medical Devices." IEEE Sensors Journal. 19 (3), pp. 1186-1198. https://doi.org/10.1109/JSEN.2018.2879929